Breez MCP

Live connection to mcp.bree-z.com/mcp. Auth uses Cloudflare Access OAuth via the dynamic-client-registration flow your browser does on first connect — same identity as the rest of *.bree-z.com.

Initializing…

Tools

Resources

Prompts

Raw session

How it works

1. First load — page hits https://mcp.bree-z.com/.well-known/oauth-authorization-server, then /oauth-protected-resource. Both unauthenticated, returns metadata.
2. Click Connect — we POST a Dynamic Client Registration with this page's redirect URI (https://bree-z-ops-admin.pages.dev/mcp/). Cloudflare Access mints us an ephemeral client_id.
3. Browser bounce — redirect to breez.cloudflareaccess.com/cdn-cgi/access/oauth/authorization?… with PKCE (S256). Your existing CF Access session ends the consent in one click.
4. Token exchange — the page swaps the returned code for an access_token at breez.cloudflareaccess.com/cdn-cgi/access/oauth/token. Token lives in sessionStorage (cleared on tab close).
5. MCP — page calls mcp.bree-z.com/mcp with Authorization: Bearer <token> over the streamable-HTTP transport, runs tools/list + resources/list + prompts/list, and renders below.

[!info] Need shell-side access? The full MCP Inspector with stateful tool invocation runs locally:

~/repos/bree-z-ansible/scripts/breez-mcp-inspector.sh

It does the same OAuth dance against your default browser.